Threat Hunting > [T2]: Creating a Custom Detection Rule with MITRE ATT&CK Framework

In this lesson, we will create a custom detection rule in Kibana using the MITRE ATT&CK framework. This rule will help us identify malicious activities like the execution of the Netcat process.

 

Simulate Netcat Process Execution: First, we will simulate a Netcat process execution. In your lab machine, open your terminal and run the following command:

nc -w 1 -z scanme.nmap.org 20-80

This command will perform a TCP port scan on the scanme.nmap.org domain on the port range 20-80.

 

Create a New Rule in Kibana: To create a new rule, go to the global search bar in Kibana and type "create new rule". Click on the first result to open the rule creation interface.

 

Configure the Rule: Make sure you select the following settings for the rule:

  • Rule type: Custom query
  • Source: Data View (logs-*)
  • Custom query: process.name : "nc" and event.action : "exec"

 

Click "Continue" to proceed to the next step.

Set Rule Details: Assign a name, description, and severity level for your rule. You can also add a tag to help categorize the rule. In this example, we will use the tag "Linux".

 

Advanced Settings and MITRE Mapping: Click on "Advanced settings" and populate the MITRE ATT&CK fields with the appropriate tactics and techniques related to the Netcat process execution.

 

Schedule the Rule: Set the rule to run every 5 minutes and click "Continue".

 

Create and Enable the Rule: Review your rule settings and click on "Create and activate rule" to enable the rule.

 

Testing the Rule: Open the Alerts Dashboard in Kibana and set the auto-refresh interval to 1 second. Run the Netcat command again (nc -w 1 -z scanme.nmap.org 20-80) and monitor the Alerts Dashboard. The rule should trigger an alert after a few minutes, as we scheduled it to run every 5 minutes.

 

By creating custom detection rules with the MITRE ATT&CK framework, you can improve your security monitoring capabilities and quickly identify potential threats in your environment.

← Prev Dashboard Next →